Hypervisors Bring New Capabilities and New Risks

Hypervisors bring new capabilities to us, but they also bring new computing risks. Understanding this new environment is important. As virtualization becomes mainstream, we need to find ways to identify risks and protect these new infrastructures. Hypervisors, while central to all virtualization methods, are a core risk area.

Hypervisors are a “meta” operating system in a virtualized environment. They have access to all physical devices in a server, including all disk and memory. Hypervisors both schedule access to these devices, and help to protect clients from each other. A server first starts to execute the hypervisor, which then loads each of the virtual machine client operating systems, allocating the appropriate amount of memory, CPU usage, network bandwidth and disk space for each of the VMs.

The hypervisor can control all aspects of all VMs running on the hardware, so it is a natural security target. Securing the hypervisor is vital and more complex than it appears.

VMs make requests to the hypervisor through several different methods, usually involving a specific API call. These APIs are prime targets for malicious code, so substantial effort is made by all hypervisors to ensure that the API’s are secure, and that only authentic (authenticated, and authorized) requests are made from the VMs. This is a critical path function. It should be noted, however, that speed is a significant requirement in all hypervisors, to ensure that the overall performance is not impacted.

There are already calls for new APIs to be made in order to make it easier for virtual machines to communicate with each other. On the surface, this makes sense – why write a file to disk, so another virtual machine can read it? Why not just do a memory-to-memory copy operation?

These APIs, such as the VMware VMCI facility, introduce a new kind of risk for operating systems running as virtual machines. As new capabilities are added over the next few years and we figure out how best to use these new technologies, security vendors need to be sure that we track these changes and be aware of the new ways in which malware can be introduced to the virtual machines.

Another point is the network path. Often, the network interface for the hypervisor is the exact hardware that the virtual machines use. If the network is not planned carefully, this can mean that the virtual machines can reach the hypervisor IP address, which could lead to a compromise if the hypervisor logins are not protected with strong passwords. It can also lead to DDoS attacks, which can make it difficult or impossible to reach the hypervisor from off-network, in order to shut down the rogue VM.